Apache Configuration (best Apache configuration tutorial) _php Tips

Source: Internet
Author: User
Tags http authentication openssl

Apache Configuration

The Apache configuration is configured by the httpd.conf file, so the following configuration directives are modified in the httpd.conf file.
Configuration of the primary site (basic configuration)

(1) Basic configuration:

ServerRoot "/mnt/software/apache2" #你的apache软件安装的位置. Other specified directories If you do not specify an absolute path, the directory is relative to the directory.

Pidfile the process number file location of the Logs/httpd.pid #第一个httpd进程 (the parent process for all other processes).

Listen #服务器监听的端口号.

ServerName www.clusting.com:80 #主站点名称 (the host name of the site).
ServerAdmin admin@clusting.com #管理员的邮件地址.
DocumentRoot "/mnt/web/clusting" #主站点的网页存储位置.

The following are access controls on the directory of the primary site:

Copy Code code as follows:

<directory "/mnt/web/clusting" >
Options FollowSymLinks
AllowOverride None
Order Allow,deny
Allow from all

In the above directory attribute configuration, there are mainly the following options:

Options: Configure which features are used in a particular directory, commonly used values and basic meanings are as follows:
EXECCGI: This directory allows CGI scripts to be executed.
FollowSymLinks: Allows the file system to use symbolic connections under this directory.
Indexes: When the user accesses the directory, if the user cannot find the home page file specified by DirectoryIndex (for example, index.html), the list of files in that directory is returned to the user.
SymLinksIfOwnerMatch: When using symbolic connections, access is only available if the file owner of the symbolic connection is the same as the owner of the actual file.

Other available values and meanings see: Http://www.clusting.com/Apache/ApacheManual/mod/core.html#options

AllowOverride: the instruction type (. htaccess file name that is allowed to exist in the. htaccess file can be changed and its file name is determined by the ACCESSFILENAME Directive):
None: When AllowOverride is set to none. The. htaccess file under this directory is not searched (you can reduce server overhead).

All: You can use all the instructions in the. htaccess file.

Other available values and meanings (such as: Options FileInfo authconfig limit), see: http://www.clusting.com/Apache/ApacheManual/mod/core.html# AllowOverride

Order: Control allow and deny two access rules when accessing the precedence:

Allow: List of hosts allowed to access (available domain name or subnet, for example: Allow from

Deny: The list of hosts that are denied access.

More detailed usage can be see: http://www.clusting.com/Apache/ApacheManual/mod/mod_access.html#order

DirectoryIndex index.html index.htm index.php #主页文件的设置 (This example sets the home page file to: index.html,index.htm and index.php)

(2) Server optimization (mpm:multi-processing Modules)
The main advantage of APACHE2 is that support for multiprocessor is better, and the--WITH-MPM option is used at compile time to determine the working mode of apache2. If you know what the current apache2 is working with, you can use the HTTPD-L command to list all of Apache's modules to know how it works:

Prefork: If httpd-l lists prefork.c, you need to configure the following segment:

<ifmodule prefork.c>
Startservers 5 #启动apache时启动的httpd进程个数.
Minspareservers 5 #服务器保持的最小空闲进程数.
Maxspareservers #服务器保持的最大空闲进程数.
MaxClients #最大并发连接数.
Maxrequestsperchild 1000 #每个子进程被请求服务多少次后被kill掉. 0 means no limit, the recommended setting is 1000.

In this mode of operation, the server starts to move 5 httpd processes (plus a total of 6 parent processes, which can be seen through the Ps-ax|grep httpd command). When a user connects, Apache uses an idle process to service the connection, and the parent process fork a child process. Until the idle process in memory reaches Maxspareservers. This mode is intended to be compatible with some older versions of the program. My default compile-time options.

Worker: If httpd-l lists worker.c, you need to configure the following segment:

<ifmodule worker.c>
Startservers 2 #启动apache时启动的httpd进程个数.
MaxClients #最大并发连接数.
Minsparethreads #服务器保持的最小空闲线程数.
Maxsparethreads #服务器保持的最大空闲线程数.
Threadsperchild #每个子进程的产生的线程数.
Maxrequestsperchild 0 #每个子进程被请求服务多少次后被kill掉. 0 means no limit, the recommended setting is 1000.

This mode is a thread that listens for client connections. When a new client connects, one of the idle threads accepts the connection. The server starts two processes at startup, and each process produces a fixed number of threads (threadsperchild decision), so it starts with 50 threads. When 50 threads are not enough, the server automatically fork a process and then generates 25 threads.

Perchild: If httpd-l lists PERCHILD.C, you need to configure the following segment:

<ifmodule perchild.c>
Numservers 5 #服务器启动时启动的子进程数
Startthreads 5 #每个子进程启动时启动的线程数
Minsparethreads 5 #内存中的最小空闲线程数
Maxsparethreads #最大空闲线程数
Maxthreadsperchild #每个线程最多被请求多少次后退出. 0 is not restricted.
Maxrequestsperchild 10000 #每个子进程服务多少次后被重新fork. 0 means unrestricted.

In this mode, the number of child processes is fixed and the number of threads is unrestricted. When the client connects to the server, the idle thread provides the service. If the number of idle threads is insufficient, the child processes automatically generate threads to service the new connection. This mode is used for multi-site servers.
(3) HTTP header back information configuration:

Servertokens Prod #该参数设置http头部返回的apache版本信息, the available values and meanings are as follows:

Prod: Software name only, for example: Apache
Major: Include major version number, for example: APACHE/2
Minor: Include minor version number, for example: apache/2.0
Min: The full version number of Apache only, for example: apache/2.0.54
OS: Includes operating system type, for example: apache/2.0.54 (Unix)
Full: Includes the module and module version number that Apache supports, for example: apache/2.0.54 (Unix) mod_ssl/2.0.54 openssl/0.9.7g
Serversignature off #在页面产生错误时是否出现服务器版本信息. Recommended set to OFF

(4) Persistent connection settings

KeepAlive on #开启持久性连接功能. That is, when the client connects to the server, it remains connected after downloading the data.

Maxkeepaliverequests #一个连接服务的最多请求次数.

KeepAliveTimeout #持续连接多长时间, the connection is disconnected if no more data is requested. The default is 15 seconds.

Alias settings
You can use either symbolic connections or aliases for pages that are not in the directory specified by DocumentRoot. The alias is set as follows:

alias/download/"/var/www/download/" #访问时可以输入: http://www.custing.com/download/

Copy Code code as follows:

<directory "/var/www/download" > #对该目录进行访问控制设置
Options Indexes MultiViews
AllowOverride authconfig
Order Allow,deny
Allow from all

CGI settings

scriptalias/cgi-bin/"/mnt/software/apache2/cgi-bin/" can be accessed by: http://www.clusting.com/cgi-bin/. But the CGI script file in this directory should be executable permissions!

<directory "/usr/local/apache2/cgi-bin" > #设置目录属性
AllowOverride None
Options None
Order Allow,deny
Allow from all

Personal homepage Settings (public_html)

Userdir public_html (the user's home page is stored in the user's home directory under the public_html directory URL http://www.clusting.com/~bearzhang/file.html will read/home/ bearzhang/public_html/file.html file)
chmod 755/home/bearzhang #使其它用户能够读取该文件.
Userdir/var/html (The URL http://www.clusting.com/~bearzhang/file.html will read/var/html/bearzhang/file.html)
Userdir/var/www/*/docs (The URL http://www.clusting.com/~bearzhang/file.html will read/var/www/bearzhang/docs/file.html)

Settings for logs

(1) Error log settings
ErrorLog Logs/error_log #日志的保存位置
LogLevel warn #日志的级别

The format displayed is in the sunshine:
[Mon Oct 10 15:54:29 2005] [ERROR] [Client] Access to/download/failed, Reason:user admin not allowed access

(2) Access log settings

The default format for logging is as follows:
Logformat "%h%l%u%t"%r "%>s%b"%{referer}i ""%{user-agent}i "" combined
Logformat "%h%l%u%t"%r "%>s%b" common #common为日志格式名称
Logformat "%{referer}i->%u" Referer
Logformat "%{user-agent}i" Agent
Customlog Logs/access_log Common

The various parameters in the format are as follows:

%H--The IP address or host name of the client
%l--the This is the RFC 1413 identity that is judged by the client identd, and the symbol "-" in the output indicates that the information here is invalid.
%u-the name of the customer accessing the Web page obtained by the HTTP authentication system. Valid with authentication, the symbol "-" in the output indicates that the information here is invalid.
%t-the time that the server completes processing the request.
"%r"-quotation marks are the content of a request from a customer that contains a lot of useful information.
%>s-This is the status code that the server returns to the client.
%b-The last item is the number of bytes returned to the client that do not include the response header.
"%{referer}i"-this item indicates which web page the request was submitted from.
"%{user-agent}i"-this is the browser-aware information provided by the client's browser.

The following is an example of an access log: [10/oct/2005:16:53:06 +0800] "get/download/http/1.1" 200 1228[10/oct/2005:16:53:06 +0800] "Get/icons/blank.gif http/1.1" 304-[10/oct/2005:16:53:06 +0800] "Get/icons/back.gif http/1.1" 304-

For a detailed explanation of each parameter, see: http://www.clusting.com/Apache/ApacheManual/logs.html

User-authenticated configuration
(1) in the httpd.conf:
Accessfilename. htaccess
<directory "/var/www/download" >
Options Indexes
AllowOverride authconfig
(2) Create a password file:
/usr/local/apache2/bin/htpasswd-c/var/httpuser/passwords Bearzhang

(3) Onfigure the server to request a password and tell the server which users are allowed access.
AuthType Basic
AuthName "Restricted Files"
Require User Bearzhang
#Require valid-user #all Valid user

Configuration of the virtual host
(1) Virtual host configuration based on IP address
Listen 80
ServerName www.example1.com
ServerName www.example2.org

(2) Virtual host configuration based on IP and multi-port

ServerName www.example1.com

ServerName www.example1.com

ServerName www.example1.org

ServerName www.example2.org

(3) Domain-based virtual host configuration on a single IP address server:
# Ensure that Apache listens on port 80
Listen 80

# Listen for virtual host requests to all IP addresses
Namevirtualhost *:80

<virtualhost *:80>
ServerName www.example1.com
Serveralias example1.com. *.example1.com
# Other Directives here

<virtualhost *:80>
ServerName www.example2.org
# Other Directives here

(4) Configure a domain-based virtual host on multiple IP address servers:
Listen 80

# This is the ' main ' server running on
ServerName server.domain.com

# This is the

ServerName www.example1.com
# Other directives ...

ServerName www.example2.org
# Other directives ...

(5) running different sites on different ports (configuring a domain based virtual host on a multiport server):
Listen 80
Listen 8080


ServerName www.example1.com

ServerName www.example1.com

ServerName www.example2.org

ServerName www.example2.org

(6) Domain-based and IP-based hybrid virtual host configuration:
Listen 80


ServerName www.example1.com

ServerName www.example2.org

ServerName www.example3.net

Configuration of SSL Encryption

First, get some basic concepts before you configure them:

The concept of a certificate: first to have a root certificate, and then use the root certificate to issue the server certificate and client certificate, generally understand: Server certificate and client certificate is a peer relationship. SSL must have a server certificate installed to authenticate. Therefore: In this environment, you must have at least three certificates: a root certificate, a server certificate, and a client certificate. Before you generate a certificate, you typically have a private key, which generates a certificate request with the private key, and then uses the Certificate Server root card to issue the certificate.

The certificate used by SSL can be built on its own, or it can be signed by a commercial CA (such as VeriSign or Thawte).

Issue Certificate: If you are using a commercial certificate, please check the relevant seller's description; If the certificate is issued by a confidant, you can use the OpenSSL ca.sh scripting tool.

If a certificate is not issued for a separate client, the client certificate can be used without a build and the client uses the same certificate as the server side.
(1) The main parameters in the conf/ssl.conf configuration file are configured as follows:

Listen 443
Sslpassphrasedialog Buildin
#SSLPassPhraseDialog Exec:/path/to/program
Sslsessioncache Dbm:/usr/local/apache2/logs/ssl_scache
Sslsessioncachetimeout 300
Sslmutex File:/usr/local/apache2/logs/ssl_mutex

<virtualhost _default_:443>

# General setup for the virtual host
DocumentRoot "/usr/local/apache2/htdocs"
ServerName www.example.com:443
ServerAdmin you@example.com

Sslengine on
Sslciphersuite all:! Adh:! Export56:rc4+rsa:+high:+medium:+low:+sslv2:+exp:+enull

Customlog/usr/local/apache2/logs/ssl_request_log "%t%h%{ssl_protocol}x%{ssl_cipher}x"%r "%b"


(2) Create and use a self-signed certificate:
A.create a RSA private key for your Apache server
/usr/local/openssl/bin/openssl Genrsa-des3-out/usr/local/apache2/conf/ssl.key/server.key 1024

B. Create a certificate signing Request (CSR)
/usr/local/openssl/bin/openssl req-new-key/usr/local/apache2/conf/ssl.key/server.key-out/usr/local/apache2/conf /ssl.key/server.csr

C. Create a self-signed CA certificate (X509 structure) with the RSA key of the CA
/usr/local/openssl/bin/openssl req-x509-days 365-key/usr/local/apache2/conf/ssl.key/server.key-in/usr/local/ Apache2/conf/ssl.key/server.csr-out/usr/local/apache2/conf/ssl.crt/server.crt

/usr/local/openssl/bin/openssl Genrsa 1024-out Server.key
/usr/local/openssl/bin/openssl Req-new-key server.key-out SERVER.CSR
/usr/local/openssl/bin/openssl req-x509-days 365-key server.key-in server.csr-out server.crt

(3) Create your own CA (authentication certificate) and use the CA to sign the server's certificate.
CP Openssl-0.9.7g/apps/ca.sh/ca
OpenSSL genrsa-des3-out Server.key 1024
OpenSSL Req-new-key server.key-out SERVER.CSR
CP server.key/usr/local/apache2/conf/ssl.key/

Gzip Configuration:

LoadModule Deflate_module modules/mod_deflate.so

Setoutputfilter DEFLATE
Addoutputfilterbytype DEFLATE text/html text/css text/plain text/xml

Access control:

Order Deny,allow
Deny from all
Allow from

Flow control:
Bandwidth All 51200
Maxconnection All 30
Bandwidtherror 510

Set proxy to forward the request:

Proxyrequests off

VirtualHost Configuration instance:
<virtualhost *>
ServerName a.bwl.com
Serveralias b.bwl.com
DocumentRoot "/search/a"
DirectoryIndex abc.html

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.